What happens when a package author is deceased?

[ljharb]

This seems like something worth having an explicit policy on. My expectations:

The deceased's account should be locked (in a reversible manner, since sometimes reports of death are greatly exaggerated); future publishes should not be possible with it; but the username should remain forever to avoid misuse, and out of respect.

For any packages where the deceased isn't the only owner, nothing further need be done; the other owners can handle those packages as they see fit.

For packages where the deceased is the only owner: were it me, absent instructions, I'd want any such packages to not be subject to name takeover, and I'd want both of the following to be true:

1. it should be impossible for anyone to break consumers of the package by publishing a malicious update
2. it should be possible for a responsible maintainer to take over the package, presumably with some npm oversight, so as to benefit its users

I have an unfortunate concrete example that is very recent, and not public yet. The only public example I know of off the top of my head is https://www.npmjs.com/~luk, but that happened so long ago I'm both not sure what steps were taken, and I also assume preferred policies might have been very different then than now.

[MylesBorins]

Hey @ljharb .

This is definitely an important thing to consider in general for the platform. For now we need to wrap up the existing policy work around naming disputes before we expand the scope, but I have some ideas for approaches that could help with this.

[ljharb]

Sounds good! If the current state is "nothing will be done pending the policies being figured out", then there is no real urgency - there's only urgency if, absent those policies, a deceased maintainer's packages run the risk of being taken over or otherwise taken down.

[bkmgit]

One may also consider not active. As an example there is a fork of npm-run-all, npm-run-all2 that seems more actively maintained than the original, but the fork is not in the npm registry.

[MylesBorins]

@bkmgit is this not the fork?

https://www.npmjs.com/package/npm-run-all2

[krush11]

What we could do is add a nominee option like the one in github and after sufficient proof is submitted, the package ownership could be transferred to the nominee account

[ljharb]

That's an awesome partial solution - one Github itself already has (also Facebook) - but neither of those have a solution for when nobody has been named.